[Puppet - Bug #14790] (Unreviewed) catch-22 in dependancy ordering for user and ssh_authorized_key

3 views
Skip to first unread message

tic...@puppetlabs.com

unread,
Jun 2, 2012, 1:47:15 PM6/2/12
to ja...@lovedthanlost.net, puppe...@googlegroups.com, r...@devco.net, k...@puppetlabs.com, tux...@gmail.com, sanjiv...@gmail.com
Issue #14790 has been reported by Jo Rhett.

Bug #14790: catch-22 in dependancy ordering for user and ssh_authorized_key

  • Author: Jo Rhett
  • Status: Unreviewed
  • Priority: Normal
  • Assignee:
  • Category: agent
  • Target version: 2.7.x
  • Affected Puppet version: 2.7.14
  • Keywords:
  • Branch:

In theory, the dependancy of the ssh_authorized_key upon the user makes sense, but in practice it fails.

You can’t create the ssh_authorized_key until the user exists, check. You can’t remove the ssh_authorized_key unless the user fails… fail.

There’s no simple way to order this such that an ssh key is removed when the user is removed.

The only way around this problem is the rather ugly:

    if $ensure == 'absent' {
        ssh_authorized_key{ "system-$username":
            ensure  => absent,
            name    => "system-$username",
            target  => "/etc/ssh/keys/$username",
            user    => $username,
            type    => $keytype,
            key     => $key, 
            before  => User[$username],
        }
    }

    user { $username:
        ensure     => $ensure,
        comment    => $comment,
        home       => $home,
        shell      => $shell,
        uid        => $uid,
        gid        => $groupname,
        managehome => true,
        system     => false,
        require    => Group[$groupname]
    }       
            
    if $ensure == 'present' {
        ssh_authorized_key{ "system-$username":
            ensure  => present,
            name    => "system-$username",
            target  => "/etc/ssh/keys/$username",
            user    => $username,                                                                                                   
            type    => $keytype,
            key     => $key, 
        } 
    }

That seems a long bit unpuppet-like.

You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account

tic...@puppetlabs.com

unread,
Jun 2, 2012, 1:52:34 PM6/2/12
to ja...@lovedthanlost.net, puppe...@googlegroups.com, r...@devco.net, k...@puppetlabs.com, tux...@gmail.com, sanjiv...@gmail.com
Issue #14790 has been updated by Jo Rhett.

I’d also like to point out that this problem isn’t just a quiet annoyance. Unless the double-ifed syntax above is used, removal of the user causes a puppet agent run failure report every $runinterval.

tic...@puppetlabs.com

unread,
Jun 8, 2012, 11:52:10 AM6/8/12
to ja...@lovedthanlost.net, puppe...@googlegroups.com, r...@devco.net, k...@puppetlabs.com, tux...@gmail.com, sanjiv...@gmail.com, jrh...@netconsonance.com
Issue #14790 has been updated by Kelsey Hightower.
  • Status changed from Unreviewed to Accepted
  • Author: Jo Rhett
  • Status: Accepted

tic...@puppetlabs.com

unread,
Jan 4, 2013, 6:53:19 PM1/4/13
to ja...@lovedthanlost.net, puppe...@googlegroups.com, r...@devco.net, k...@puppetlabs.com, tux...@gmail.com, stuart....@remphrey.net, ste...@zipkid.eu, andres.c...@intel.com, jrh...@netconsonance.com, damian....@allegro.pl
Issue #14790 has been updated by Andrew Parker.
  • Target version deleted (2.7.x)

As the 2.7.x line is winding down, I am removing the target at 2.7.x from tickets in the system. The 2.7 line should only receive fixes for major problems (crashes, for instance) or security problems.

  • Author: Jo Rhett
  • Status: Accepted
  • Priority: Normal
  • Assignee:
  • Category: agent
  • Target version:
Reply all
Reply to author
Forward
0 new messages